Trans-Atlantic Data Privacy (TADP) Framework
On March 25, 2022, the United States (U.S.) and the European Union (EU) announced a political agreement on a new Trans-Atlantic Data Privacy (TADP) Framework to safeguard commercial cross-border data flows.
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|BCR||Binding Corporate Rule|
|DOC||Department of Commerce|
|SCC||Standard Contractual Clause|
|TADP||Trans-Atlantic Data Privacy|
Despite U.S. assurances, many in the EU have remained uneasy about U.S. intelligence and surveillance laws and possible U.S. government access to EU citizens' personal data. The new framework would increase safeguards and limits on U.S. signals intelligence activities, establish a new redress mechanism with independent and binding authority (the Data Protection Review Court), and add oversight procedures for signals intelligence activities.
Participating companies and organizations that take advantage of the TADP Framework to protect data flows would continue to be required to adhere to the Privacy Shield Principles and to self-certify through the U.S. Department of Commerce (DOC).
EU officials hope that the new TADP Framework will be finalized and adopted by the end of 2022.
Apart from the new framework, U.S. firms have limited options for cross-border data flows with the EU. They include:
- Create Binding Corporate Rules (BCRs) that EU officials must approve on a firm-by-firm basis;
- Implement updated EU-approved Standard Contractual Clauses (SCCs) and reassess for adequate safeguards according to the CJEU ruling;
- Use commercial cloud services provided by large technology firms that use approved BCRs or updated SCCs (e.g., Microsoft, IBM);
- Store EU citizens' personal data only in the EU or other approved country, an idea advocated by some European DPAs and other stakeholders, but which others view as potential costly data localization trade barriers;
- Obtain consent from individuals for every single transfer of personal data, a likely logistically challenging and costly option for most entities;
- Exit or limit participation in the EU market.
- The TADP Framework will supersede the Privacy Shield.
- The TADP Framework will require participating companies and organizations to adhere to the Privacy Shield Principles.
- Participation in the TADP Framework will be voluntary.
- Once an eligible organization makes the public commitment to comply with the Framework requirements, the commitment will become enforceable under U.S. law.